Software applications typically include flaws or defects, causing the software to operate in an unintended or undesired manner. Sometimes, a developer or a group of developers may introduce flaws/defects purposefully, so as to facilitate misuse of the software system/application and/or to facilitate unauthorized access to the data managed or analyzed by the software system/application. Typically, however, the flaws/defects in the code are introduced inadvertently and unintentionally. For example, a flaw may be introduced due to a programming error, or because the code developer failed to comply with a recommended coding practice. Sometime, a flaw is introduced because a developer is inexperienced and does not have the required proficiency in the computation logic to be implemented by the software and/or the programming language.
Static and/or dynamic vulnerability analysis techniques that can analyze the source code and/or one or more compiled binary files corresponding to a software application can be used to detect any vulnerabilities in the software application. A static analyzer that can analyze one or more compiled binary files corresponding to a software application is useful at least in situations where the source code is unavailable for a number of reasons, e.g., when the owner of the source code wishes not to disclose the source code to the tester performing the static analysis, when a portion of the binary files is obtained from a third party and the corresponding source code is not available from the third party, etc.
Dynamic analysis typically involves at least a partial execution of one or more binary files (also called binaries), and can detect flaws in the code by analyzing results produced by the software in response to one or more stimuli or inputs. As used herein, binary files are not limited to machine code only and may include files that are derived by processing source code and that include representations that are not source code representations, such as byte code, object code, intermediate representation, etc., where these representations are dependent on the respective programming languages used.
Large software applications/systems are often developed by several, e.g., 2, 5, 10, 16, 25, 40, 70, or even more developers. The developers are generally responsible for not only writing or specifying portions of the software application but also for maintenance, such generally includes remedying defects identified via code analysis and/or testing and reported by users. A typical software application may include dozens, hundreds, thousands, hundreds of thousands, or even more defects. Various static and dynamic analyzers can identify many of these defects, but usually little information, if any at all, is available from a static and/or dynamic analysis report that can readily identify which particular developer introduced a particular defect or remedied a certain defect. Such information can be valuable when the number of developers and number of defects are large, in order to minimize the introduction of defects and thereby to improve the quality of the software application.